InterVLAN Routing - Cisco ASA 5520 w/ Cisco Catalyst 3560
Hi,
I'm having some issues getting communication flowing between the ASA and the L3 switch. The goal is to have multiple VLANs behind the L3 switch, assigned by groups of ports where hosts or L2 switches will connect from there. I can't figure out what I am doing incorrectly.
ASA port GE1/0 is directly connected to L3 switch port GI0/25.
VLANS on Switch:
VLAN81: 10.10.81.1 /24
VLAN103: 10.10.103.1/24
ASA Info:
Interface: Outside (public IP Address, we'll say 2.2.2.2)
Interface: GE1/0 TRUNK
Interface: GE1/0.200 172.16.103.254 255.255.255.0
route trunk 10.10.81.0 > 172.16.103.1
route trunk 10.10.103.0 > 172.16.103.1
L3 Switch Info
int gi0/25: ip address 172.16.103.1 255.255.255.0 (no switchport)
vlan81 10.10.81.1 255.255.255.0
vlan103 10.10.103.1 255.255.255.0
route 0.0.0.0 0.0.0.0 172.16.103.254
I can ping the switch IP (172.16.103.1) from the ASA, but I cannot ping the ASA (.254) from the switch. I can post full configs if that helps but I can't seem to get this right. Any help is greatly appreciated.
I'm having some issues getting communication flowing between the ASA and the L3 switch. The goal is to have multiple VLANs behind the L3 switch, assigned by groups of ports where hosts or L2 switches will connect from there. I can't figure out what I am doing incorrectly.
ASA port GE1/0 is directly connected to L3 switch port GI0/25.
VLANS on Switch:
VLAN81: 10.10.81.1 /24
VLAN103: 10.10.103.1/24
ASA Info:
Interface: Outside (public IP Address, we'll say 2.2.2.2)
Interface: GE1/0 TRUNK
Interface: GE1/0.200 172.16.103.254 255.255.255.0
route trunk 10.10.81.0 > 172.16.103.1
route trunk 10.10.103.0 > 172.16.103.1
L3 Switch Info
int gi0/25: ip address 172.16.103.1 255.255.255.0 (no switchport)
vlan81 10.10.81.1 255.255.255.0
vlan103 10.10.103.1 255.255.255.0
route 0.0.0.0 0.0.0.0 172.16.103.254
I can ping the switch IP (172.16.103.1) from the ASA, but I cannot ping the ASA (.254) from the switch. I can post full configs if that helps but I can't seem to get this right. Any help is greatly appreciated.
its a bit difficult to assume what the issue could be with the information you provided as it could be a number of things.
As an assumption, i would say try to enable icmp on your ge1/0.200 interface for inside traffic
then change your routes from route trunk to route inside on you ASA
Hope this helps,
As an assumption, i would say try to enable icmp on your ge1/0.200 interface for inside traffic
then change your routes from route trunk to route inside on you ASA
Hope this helps,
Hi theres nothing wrong with your approach, but I always consider it a better design to have a /30 network between my firewall and the core switch, as 'firewall handoff' network. Then I don't have to worry about sub interfaces and all the 'Routing' is done by a device that was actually designed to route traffic (your L3 Switch).
Anyway, to actually answer the question you asked,
>>Interface: GE1/0 TRUNK
This makes no sense to me, there should be no config on the physical interface at all?
See Cisco ASA 5500 – Sub Interfaces and VLANS
Pete
Anyway, to actually answer the question you asked,
>>Interface: GE1/0 TRUNK
This makes no sense to me, there should be no config on the physical interface at all?
See Cisco ASA 5500 – Sub Interfaces and VLANS
Pete
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
ASKER